A recent wave of domain hijacking attacks has hit government websites. The US government decided to take action with a new directive. The US Department of Homeland Security (DHS) issued an emergency directive to tighten DNS security. This directive appears one week after a US-CERT warned of the same problem.
Deadline for Admins
The directive gives admins looking after US .gov domains until 5th February to take action. If they can’t, then they need to provide explanations.
- Verification that no important domains have been tampered with. They also need to resolve to the correct IP addresses.
- Passwords changed on all accounts used to manage domain records.
- Multi-factor authentication is turned on to protect admin accounts from attack.
- Certificate Transparency (CT) logs must be monitored for new TLS certificates. This is to prevent certificates issued by malicious actors.
The directive mentions domain hijacking campaigns from November and January. One of the attacks hinted government websites were included.
In the DHS warning, the US Government stated: “CISA is aware of multiple executive branch agency domains that were impacted by the tampering campaign”
The site CyberScoop claimed unnamed sources mentioned at least six US civilian agencies affected by malicious DNS activity.
The commercial sector has been battling domain hijacking for years. One attack disrupted parts of Craigslist in November 2014. This successful attack allowed attackers to take over the account used to manage the domains.
These attackers change the records so the IP address is pointing to a website controlled by them. Visitors to the site are unaware of the attack because they entered the correct domain name.
Security is difficult as many US Government agencies are dealing with thousands of domains. Another complication is the government shutdown, which has left many agencies understaffed. This makes implementing the directive problematic.
Chris Krebs of the CISA tweeted that while there are challenges, the actions are necessary and urgent.